remcos | af5bde79a81f40f3f422fc951e9e02e17306157a0e9f109a0c7e4c8c70668c7a

Analysis

max time kernel
42s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ.exe
Size

1.4MB
MD5

a88b0ddc1c80b37e8af7ca017929bf88
SHA1

601ae4b9be7c6619680d6ac19e4dae3acb572464
SHA256

9b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c
SHA512

a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927
SSDEEP

24576:ozsSzxWeyf1eLZajkRqxnTf/7UeCL4EryZNK0P+:ozsUW5fJkUnTfDUe04Ee7bW

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.16.54:6092

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YJ70D0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2792	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	RFQ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RFQ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 3260	4552	RFQ.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RFQ.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 2792	4552	RFQ.exe	91
PID 4552 wrote to memory of 2792	4552	RFQ.exe	91
PID 4552 wrote to memory of 2792	4552	RFQ.exe	91
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93
PID 4552 wrote to memory of 3260	4552	RFQ.exe	93

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\RFQ.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3260
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2836
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      PID:1336
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff874cb46f8,0x7ff874cb4708,0x7ff874cb4718
        7⤵
        
        PID:1764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:1240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        7⤵
        
        PID:3168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
        7⤵
        
        PID:1736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        7⤵
        
        PID:5052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        7⤵
        
        PID:2312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        7⤵
        
        PID:4940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
        7⤵
        
        PID:4404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
        7⤵
        
        PID:4456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
        7⤵
        
        PID:5060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
        7⤵
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        7⤵
        
        PID:4352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
        7⤵
        
        PID:1260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        7⤵
        
        PID:4996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
        7⤵
        
        PID:2164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff874cb46f8,0x7ff874cb4708,0x7ff874cb4718
        7⤵
        
        PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
1.4MB

MD5
a88b0ddc1c80b37e8af7ca017929bf88

SHA1
601ae4b9be7c6619680d6ac19e4dae3acb572464

SHA256
9b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c

SHA512
a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\069a0a44-e968-48fc-b2c4-9efa498e9d82.tmp

Filesize
6KB

MD5
4fa0dd8d1b40f2b5ea84613d6bc38fb2

SHA1
4b1553fa9dc36e2eff0560f3a6af53229f2f08db

SHA256
c28233a429cce74fdefe84ccc97cce1dc5d9e6a229368b46c24bb3a106286a62

SHA512
1f66e5d8f43a6c8add58e82b59cda3e92576771de414b0b8ab86b6c14a470175c89ffeeca236585edef1a67a39bed0d7625cb349063d04a6401b076c958d1222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
3fcca9583d0a7b669420ee8403f53fd4

SHA1
76dc1b7715009d60b654b0b1617b16adcaf8d6e1

SHA256
d6af800b9e4183789b133d33b63012983e138c99cac8c3ce0756a4fda3b758aa

SHA512
01442ed83a5f1d8de355f9ad81472f52cceff1f896e8738947d3b69720c7e0080b4a5174e2900f73c47502a5d5b1aef01710ce7c2e56dc3600907a1861b3de1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb729543896a9baa802d475dbc222fc6

SHA1
5a12071f99fb1b316506070eea1d09e706a5e706

SHA256
9449346373d237e8bf43d387d4b59eebf50e43836d2e8e36a9f8136b30e68f93

SHA512
73a699765a7d4b2cd4e9f714cda65f60047601ddf795c256d0f820f02dc068e7ce4a814fa38f17011b8e33169fbcedd46be679d0958260bcc8b312f6fc52f672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
12abe0fc977bf3d684fec03d32979250

SHA1
503bef881f53844465a1a30e86ebdae502a75d61

SHA256
8ebeac513b89558ee97e731eb5d9ff9618daa631ff530ed2e7f4e4c6fd269df5

SHA512
e87c44453eb4b70fedc7c5c145d6552869cb663c9d3678d3a3290a74e7ceb2d36d1585ed074b7e83e1535a04e2600cccd9436e48d986aad59e98a69260dd009e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597303.TMP

Filesize
371B

MD5
06b1a3024a773d46aa7e0c6df1f43f7f

SHA1
27a3b12925bef401e31dcee7a2c07df6ea68d533

SHA256
475dd9744772d08b00fac0893987f70738d7d91191f64bad9d4a49428f180bd2

SHA512
3f4ce9e2e6f179037628f52debb5a2fe2865263091fee2692d7e1f72233b91550d0c1b59f2ed7817b50bdb6e1990fccc2d6d197556d674e504fa162bf0bd3f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\baee100f-9b70-47fc-9c8c-083951c85ae9.tmp

Filesize
6KB

MD5
2c2771b99aeefe62117b3efb26cfad65

SHA1
4a87a3be497e9b6f01b20eb3badf67ca38180c00

SHA256
d9a9a712dfc6b547470dbc6cdb59c9702c92549ada36ec2e709430784c2543a8

SHA512
8b9df80b7f8ee630e11e953545ed5c504fa91d270c3857425949caaaa4a52a0197d82490d081d752abc51c47086d500765fdd441157124db7f7d89216e32d107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2367893b4d51115b10f4705c9df471b1

SHA1
8889a09ce8313d07ce56da909fc74b4d1d276bd7

SHA256
4aff2f53fa479ef7365adfc7894cd1594dd9075dfda6ebecd39dbfc24df9facc

SHA512
1a33a6633ab28259b2a8df452c1c013bbeddff504a649510b96584e9cc496fd6b9beafb02520021165a4a1d9bda037767074615c71a474d1fde0d147379c154a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5865211c965f6d1285ae508e63ace2eb

SHA1
89cbaba8447d8ff1d29bac037af5f72d5cf6c96b

SHA256
552b4a9eda89ed5409df4be58e4f557c1affc421fca438c69064388aec841b51

SHA512
5058e7cc891b0749989575a7dc442abe574d746d8e0ce2272ad71e27279a54ef2b97fd6a4a1f9f99486d66f9bc9ba1d0fcdc20edf86a4f9a4eb5503739c6dc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uf4ban4e.zcg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1336-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2392-74-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/2792-22-0x0000000005A30000-0x0000000006058000-memory.dmp

Filesize
6.2MB

Download
memory/2792-67-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/2792-35-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/2792-19-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/2792-36-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/2792-46-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/2792-34-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/2792-47-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/2792-48-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/2792-29-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2792-21-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2792-73-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2792-17-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2792-70-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/2792-60-0x0000000007960000-0x000000000797E000-memory.dmp

Filesize
120KB

Download
memory/2792-61-0x0000000007980000-0x0000000007A23000-memory.dmp

Filesize
652KB

Download
memory/2792-50-0x00000000703D0000-0x000000007041C000-memory.dmp

Filesize
304KB

Download
memory/2792-63-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/2792-62-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/2792-49-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/2792-64-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/2792-65-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/2792-66-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/2792-69-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/2792-68-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/2836-92-0x0000000070280000-0x00000000702CC000-memory.dmp

Filesize
304KB

Download
memory/2836-104-0x0000000007E70000-0x0000000007E84000-memory.dmp

Filesize
80KB

Download
memory/2836-103-0x0000000007E30000-0x0000000007E41000-memory.dmp

Filesize
68KB

Download
memory/2836-91-0x0000000006E50000-0x0000000006E9C000-memory.dmp

Filesize
304KB

Download
memory/2836-102-0x0000000007B00000-0x0000000007BA3000-memory.dmp

Filesize
652KB

Download
memory/3260-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3260-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3260-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3260-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3260-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4176-79-0x0000000000D00000-0x0000000000E60000-memory.dmp

Filesize
1.4MB

Download
memory/4552-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/4552-18-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4552-10-0x0000000006830000-0x00000000068F4000-memory.dmp

Filesize
784KB

Download
memory/4552-9-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4552-8-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/4552-7-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4552-4-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/4552-6-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/4552-5-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4552-3-0x0000000004DA0000-0x0000000004E32000-memory.dmp

Filesize
584KB

Download
memory/4552-2-0x00000000052B0000-0x0000000005854000-memory.dmp

Filesize
5.6MB

Download
memory/4552-1-0x00000000001E0000-0x0000000000340000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads